Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Practical Cryptography Lecture 9 Searchable Encryption.

Published byLouisa Knight Modified over 9 years ago

Similar presentations

Presentation on theme: "Introduction to Practical Cryptography Lecture 9 Searchable Encryption."— Presentation transcript:

1

2 Introduction to Practical Cryptography Lecture 9 Searchable Encryption

3 1 What Area of Cryptography? Privacy-Preserving Computation (PPC) –Function (including inputs and outputs) does not reveal private information

4 2 MPC vs. PPC MPC is general – it captures all applications. Regarding privacy, MPC aims for the following: –A secure protocol must reveal no more information than the output of the function itself –That is, the process of protocol computation reveals nothing. MPC does not deal with the question of whether or not the function reveals much information – that’s the focus of Privacy- Preserving Computation ( PPC)

5 3 Privacy-Preserving Computation Search query Data repository  Client wants to preserve search privacy: Private Information Retrieval  Data repository is huge! Privacy-preserving data mining  Data are encrypted: Search over encrypted data

6 4 Untrusted Remote Storage Remote storage is ubiquitous: – E-mail, backups, CVS – Department servers, Yahoo Mail, Gmail

7 5 Untrusted Remote Storage Google’s Search Across Computers feature –“In order to share your indexed files between your computers, we first copy this content to Google Desktop servers located at Google. This is necessary, for example, if one of your computers is turned off or otherwise offline when new or updated items are indexed on another of your machines. We store this data temporarily on Google Desktop servers and automatically delete older flies, and your data is never accessible by anyone doing a Google search.” Do you trust this?

8 6 Searchable Encryption Store data externally –encrypted –want to search data easily –avoid downloading everything then decrypt –allow others to search data without having access to plaintext

9 7 Searchable Encryption - Factors When searching, what must be protected? –retrieved data –search query –search query outcome (was anything found?) Scenario –single query vs multiple queries –non-adaptive: series of queries, each independent of the others –adaptive: form next query based on previous results # of participants –single user (owner of data) can query data –multiple users can query the data, possibly with access rights defined by the owner

10 8 SSE Security Non-AdaptiveAdaptive

11 9 Search Over Encrypted Data Applications: Storage outsourcing, mail gateways, Google Desktop (“search across computers”), … Untrusted servers  Data has to be encrypted Encryption hides all information about the data  Server cannot search! Client must download entire document collection:

12 10 Search Over Encrypted Data (cont’d) Searchable Symmetric Key Encryption where client performs encryption before storing data –Recall that public key algorithms are too slow for encrypting large data Secure index (SI): Auxiliary data structure that allows the remote server to perform searches efficiently, while keeping queries and data confidential Documents are encrypted; SI is encrypted — “two-layer;” searches performed using trapdoors.

13 11 Searchable Encryption Song, Wagner, Perrig Proposal Alice wants to encrypt a document containing a sequence of n bit words, w 1, w 2 … w q Compute bitwise XOR of plaintext with sequence of “pseudorandom” bits with some structure –n-m bit strings: s 1, s 2,.. s q generated (such as from a stream cipher using a key k’) –use keyed function F on n-m bits that outputs m bits t i = s i || F ki (s i ) c i = w i  t i

14 12 Basic Idea To search for some w j, tell server –k i for each location i want to search –w j Server computes c i  w j –checks if it is of the form s || F ki (s) –s = first n-m bits, insert into F ki and see if result matches last m bits of c i  w But this requires that Alice reveals –all k i ’s in subset of data she wants to search –and w j

15 13 Don’t Reveal All k i ’s Instead, only reveal key for the w j Can use one secret key k and a function G to create k i ’s : k i = G k (w i ) Reveal w j and G k (w j ) when searching for w j If w j is in location i, does not reveal other keys, k i for i ≠ j Still reveals w j

16 14 Don’t Reveal Plaintext plaintext wiwi E sk (w i ) LiLi RiRi sisi G ki (s i ) stream cipher ciphertext

17 15 Don’t Reveal Plaintext Instead of applying process to plaintext (w 1, w 2, … w q ), encrypt w i ’s first as individual blocks –x i = E sk (w i ) Also split x i into L i || R i –where L i is n-m bits (same length as s i ) –to allow decryption – see on next slide Use L i to create k i, t i, xor with x i –k i = G k (L i ) –t i = s i || F ki (s i ) –c i = x i  t i To search for w j, Give server (x j, k j ) Server computes –t i = c i  x j for each i –checks if t i is of the form s i || F kj (s i ) –if yes, found a match

18 16 Don’t Reveal Plaintext x i broken into L i, R i to allows decryption by someone with the fixed keys –k’ (stream cipher) –sk (E – encryption of w i ’s) –k (G – function for creating k i ’s) Use k’ to compute s i Recover L i : L i = s i  (first n-m bits of c i ) Use L i to compute k i : k i = G k (L i ) Use k i to recover R i : F ki (s i )  (last m bits of c i ) Now have all of x i : x i = L i || R i Then can recover w i : w i = E -1 sk (x i )

19 17 Security Information leakage –Didn’t cover how to securely index documents After one query, does server know if two documents contain the same w i ? Over many queries can determine if document are similar –How to hide length of w i ? Overhead – typical w not a full block for a block cipher –Is each w i padded?

20 18 Searchable Encryption Curtmola, Garay, Kamara, Ostrovsky Proposal (Will cover a non-adaptive case) D = set of documents W = of words in D, w is a word in W D(w) = set of documents in D containing w T = lookup table containing information to locate and decrypt elements of A L i = linked list containing identities of documents in D(w i ) –Each node encrypted under separate key –j th node of L i contains pointer to (j+1) st node its key to (need to decrypt j th node to get information for (j+1) st node ) A = array containing all nodes from all L I ’s in random order –Can’t determine order of L I ’s within A –Can’t determine length of an L i without traversing it

21 19 Build Lists Austin Baltimore Washington Determine words in each D to create D(w)’s Build linked lists

22 20 Create Lists Austin Baltimore Washington Encrypt linked lists: establish keys, pointers, encrypt

23 21 Build Index Table Austin Baltimore Washington f( ) g( ) Build lookup table T

24 22 Create Array Merge, scramble linked lists to form A

25 23 Query Baltimore

26 24 Performance While traversing lists is linear in length of list but linear by what factor? In practice, is a block cipher used to encrypt each word? Padding? Need to run key schedule and decryption function per node

27 25 Extensions Can I share my document collection? Malicious servers Updates

28 26 Multi-User SSE

29 27 Multi-User SSE (cont’d) Similar security notions to single-user SSE’s – Secure indexes and trapdoors Revocation: owner can revoke searching privileges – Robust against user collusions Anonymity: server should not know who initiated search

30 28 Related Work Public Key Searchable Encryption (PEKS) – [BdCOP04, PKL04, GZZ05, ABC+05, BNS05, OS05] – E-mail gateways, streaming data

31 29 Work on SSE “Oblivious RAMs” [Ost90,GO96] – Optimal security (even hides access pattern) – Poly-logarithmic number of rounds “Practical techniques for searches on encrypted data” [SWP00] – First specific construction (PRGs, PRFs, PRPs) – Limitations: leaks information; inadequate security definition (IND-CPA) “Secure Indexes” [Goh03] – IND2-CKA: semantic security against chosen-keyword attacks – Efficient and IND2-CKA construction (PRFs, Bloom filters) “Privacy Preserving Keyword Searches on Remote Encrypted Data” [CM05] – Simulation-based security definition – Two constructions (PRFs,PRPs) “Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions,” [CGKO06] – Proposed four new security definitions – Two new efficient constructions for SSE IND2-CKA: Indistinguishability against Chosen-Keyword Attacks

Download ppt "Introduction to Practical Cryptography Lecture 9 Searchable Encryption."

Similar presentations

Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,

Efficient Information Retrieval for Ranked Queries in Cost-Effective Cloud Environments Presenter: Qin Liu a,b Joint work with Chiu C. Tan b, Jie Wu b,
Modern Symmetric-Key Ciphers

Modern Symmetric-Key Ciphers
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Self-Healing in Wireless Networks. The self-healing property is expected in many aspects in wireless networks: – Encryption algorithms – Key distribution.

Self-Healing in Wireless Networks. The self-healing property is expected in many aspects in wireless networks: – Encryption algorithms – Key distribution.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Building an Encrypted and Searchable Audit Log Brent Waters Dirk Balfanz Glenn Durfee D.K. Smetters.

Building an Encrypted and Searchable Audit Log Brent Waters Dirk Balfanz Glenn Durfee D.K. Smetters.
Seny Kamara & Kristin Lauter Micorsoft Reaserch B99705013 廖以圻 B99705025 陳育旋.

Seny Kamara & Kristin Lauter Micorsoft Reaserch B 廖以圻 B 陳育旋.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CIS 5371 Cryptography 3b. Pseudorandomness.

CIS 5371 Cryptography 3b. Pseudorandomness.
Structured Encryption and Controlled Disclosure Melissa Chase Seny Kamara Microsoft Research Asiacrypt '10 1.

Structured Encryption and Controlled Disclosure Melissa Chase Seny Kamara Microsoft Research Asiacrypt '10 1.
1 Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky Johns Hopkins.

1 Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky Johns Hopkins.
Searchable Symmetric Encryption :Improved Definitions and Efficient Constructions Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky.

Searchable Symmetric Encryption :Improved Definitions and Efficient Constructions Reza Curtmola Juan Garay Seny Kamara Rafail Ostrovsky.
Processing Data in External Storage CS 302 - Data Structures Mehmet H Gunes Modified from authors’ slides.

Processing Data in External Storage CS Data Structures Mehmet H Gunes Modified from authors’ slides.
First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.

First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown and edited by Archana Chidanandan Cryptographic Tools.
1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
1 Pertemuan 07 Enkripsi Simetrik Kontemporer Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.

1 Pertemuan 07 Enkripsi Simetrik Kontemporer Matakuliah: H0242 / Keamanan Jaringan Tahun: 2006 Versi: 1.
CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 3 Jonathan Katz.
Chapter 5 Cryptography Protecting principals communication in systems.

Chapter 5 Cryptography Protecting principals communication in systems.
Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Practical Techniques for Searches on Encrypted Data Author: Dawn Xiaodong Song, David Wagner, Adrian Perrig Presenter: 紀銘偉.

Similar presentations

Ads by Google